Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WordPress Under Attack Again

An unpatched plug-in could be leaving WordPress site owners and their neighbors at risk of exploitation.

The open-source WordPress blog and content management system (CMS) software is widely deployed and is increasingly being targeted by attackers too.

The root cause of a WordPress vulnerability more often than not is an exploitable plug-in, which is what's going on now with the MailPoet WordPress plug-in. Security researcher Daniel Cid of security firm Sucuri is reporting that a vulnerable MailPoet plug-in is the entry point for malware that is infecting even sites that don't have MailPoet installed.

The MailPoet vulnerability could enable an attacker to inject arbitrary code on a WordPress server. The security issue reported by Sucuri was fixed in MailPoet version 2.6.7, which was released on July 1.

"To be clear, the MailPoet vulnerability is the entry point, it doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website," Cid wrote in a blog post. "All the hacked sites were either using MailPoet or had it installed on another site within the same shared account (cross-contamination still matters)."

Further reading

According to Cid, MailPoet has nearly two million downloads, so the risk of exploitation is high for users that have not yet patched MailPoet.

Looking beyond the MailPoet issue and the risk of unpatched WordPress plug-ins, there is also an ongoing brute force attack against WordPress blogs. In a brute force attack, the hackers try to gain access to a site by automatically trying out a myriad of username and password combinations. The new WordPress brute force attack is a variation on an attack first reported back in March that leverages the XML-RPC (Remote Procedure Call) pingback functionality in WordPress to launch distributed denial-of-service (DDoS) attacks.

According to researchers at the SANS Institute Internet Storm Center, attackers are once again attempting to exploit XML-RPC in WordPress. In the March incident, the attackers were abusing the pingback functionality provided by XML-RPC, which is legitimately used within WordPress to enable content owners to track where their content is getting linked. In the new incident, attackers are abusing the "wp.getUsersBlogs" function, which is intended to provide an administrator with a list of blogs.

There are a number of things that WordPress site administrators can do to limit the risks of the recent round of attacks. The first and most obvious recommendation is to make sure that all plug-ins are updated and fully patched. WordPress also provides a helpful guide on Hardening WordPress that can help mitigate the risk of the brute force attacks.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.